• lemmyvore@feddit.nl
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    As opposed to what, the domain certificate? Which can’t be air-gapped because it needs to be used by services and reverse proxies.

    • BestBouclettes@jlai.lu
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      The domain certificate is public and its key is private? That’s basically it, if anyone gets access to your key, they can sign with your name and generate certificates without your knowledge. That’s my opinion and the main reason why I wouldn’t have a self hosted CA, maybe I’m wrong or misled, but it’s a lot of work to ensure everything is safe, only for a self hosted setup.